Update module github.com/go-acme/lego/v4 to v4.25.2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/go-acme/lego/v4	v4.13.3 -> v4.25.2

GitHub Vulnerability Alerts

CVE-2025-54799

Summary

It was discovered that the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client.

Details

Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. This is stated in 6.1 of RFC 8555: https://datatracker.ietf.org/doc/html/rfc8555#section-6.1

Each ACME function is accomplished by the client sending a sequence
of HTTPS requests to the server [RFC2818], carrying JSON messages
[RFC8259]. Use of HTTPS is REQUIRED. Each subsection of Section 7
below describes the message formats used by the function and the
order in which messages are sent.

However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects.

If the library user accidentally inputs an HTTP URL, or the CA similarly misconfigures its endpoints, this will cause the relevant parts of the protocol to be performed over HTTP. This can result, at the very least, in a lost of privacy of the request/response details, such as account and request identifiers (which could be intercepted by an attacker in a privileged network position). We did not investigate whether other more serious threats could result from the ability to impersonate a CA for some of the protocol requests, but enforcing HTTPS usage is definitely the safe choice.

Reproducing

This is illustrated in the attached http_acme_test.go. Since it uses private field Core.directory, this test must be placed inside the source directory of https://github.com/go-acme/lego/v4/acme/api to run.

Please note that this only checks getting the directory and creating a new account, but other ACME functions are likely impacted as well, such as creating orders, getting and checking order authorizations.

package api

import (
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"fmt"
	"net/http"
	"strings"
	"testing"
	"time"

	"github.com/go-acme/lego/v4/acme"
)

const letsEncryptURLHTTP = "http://acme-v02.api.letsencrypt.org/directory"
const letsEncryptURLHTTPS = "https://acme-v02.api.letsencrypt.org/directory"

func changeToHTTP(url *string) {
	if strings.HasPrefix(*url, "https:") {
		*url = "http" + (*url)[len("https"):]
	}
}

func changeToHTTPS(url *string) {
	if strings.HasPrefix(*url, "http:") {
		*url = "https" + (*url)[len("http"):]
	}
}

func TestHTTPURLs(t *testing.T) {
	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	if err != nil {
		t.Fatalf("error generating a private key: %v", err)
	}

	func() {
		t.Log("testing that Discover enforces https")
		_, err := New(&http.Client{
			Transport: &httpsOnlyRoundTripper{inner: http.DefaultTransport},
			Timeout:   20 * time.Second,
		}, "", letsEncryptURLHTTP, "", privateKey)
		if err != nil {
			t.Errorf("New error: %v", err)
		}
	}()

	core, err := New(&http.Client{
		Transport: &httpsOnlyRoundTripper{inner: http.DefaultTransport},
		Timeout:   20 * time.Second,
	}, "", letsEncryptURLHTTPS, "", privateKey)
	if err != nil {
		t.Fatalf("New error: %v", err)
	}

	func() {
		t.Log("testing that account creation enforces https")

		// Simulate a misconfigured CA that gives out HTTP directory URLs and when
		// we're done change it back to HTTPS to test the rest.
		changeToHTTP(&core.directory.NewAccountURL)
		defer changeToHTTPS(&core.directory.NewAccountURL)

		_, err := core.Accounts.New(acme.Account{
			TermsOfServiceAgreed: true,
			Contact:              []string{},
		})
		if err != nil {
			t.Errorf("core.Accounts.New error: %v", err)
		}
	}()

	_, err = core.Accounts.New(acme.Account{
		TermsOfServiceAgreed: true,
		Contact:              []string{},
	})
	if err != nil {
		t.Fatalf("core.Accounts.New error: %v", err)
	}
}

type httpsOnlyRoundTripper struct {
	inner http.RoundTripper
}

func (r *httpsOnlyRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
	if req.URL.Scheme != "https" {
		return nil, fmt.Errorf("non-https request is being sent")
	}
	return r.inner.RoundTrip(req)
}

_

---

Release Notes

go-acme/lego (github.com/go-acme/lego/v4)

v4.25.2

Compare Source

Changed

• [cli,log] log when dynamic renew date not yet reached

Fixed

• [cli] fix: remove wrong env var
• [lib,cli] fix: enforce HTTPS to the ACME server

v4.25.1

Compare Source

Fixed

• [cli] fix: wrong CLI flag type

v4.25.0

Compare Source

The binary size of this release is about ~50% smaller compared to previous releases.

This will also reduce the module cache usage by 320 MB (this will only affect users of lego as a library or who build lego themselves).

Added

• [dnsprovider] Add DNS provider for ZoneEdit
• [cli] Add an option to define dynamically the renew date
• [lib,cli] Add an option to disable common name in CSR

Changed

• [dnsprovider] vinyldns: add an option to add quotes around the TXT record value
• [dnsprovider] ionos: increase default propagation timeout

Fixed

• [cli] fix: enforce domain into renewal command

v4.24.0

Compare Source

Added

• [dnsprovider] Add DNS provider for Azion
• [dnsprovider] Add DNS provider for DynDnsFree.de
• [dnsprovider] Add DNS provider for ConoHa v3
• [dnsprovider] Add DNS provider for RU Center
• [dnsprovider] gcloud: add service account impersonation

Changed

• [dnsprovider] pdns: improve error messages
• [dnsprovider] cloudflare: add quotation marks to TXT record
• [dnsprovider] googledomains: provider deprecation
• [dnsprovider] mijnhost: improve record filter

Fixed

• [dnsprovider] exoscale: fix find record
• [dnsprovider] nicmanager: fix mode env var name and value
• [lib,cli] Check order identifiers difference between client and server

v4.23.1

Compare Source

Due to an error related to Snapcraft, some artifacts of the v4.23.0 release have not been published.

This release contains the same things as v4.23.0.

v4.23.0

Compare Source

Added

• [dnsprovider] Add DNS provider for Active24
• [dnsprovider] Add DNS provider for BookMyName
• [dnsprovider] Add DNS provider for Axelname
• [dnsprovider] Add DNS provider for Baidu Cloud
• [dnsprovider] Add DNS provider for Metaregistrar
• [dnsprovider] Add DNS provider for F5 XC
• [dnsprovider] Add INFOBLOX_CA_CERTIFICATE option
• [dnsprovider] route53: adds option to use private zone
• [dnsprovider] edgedns: add account switch key option
• [dnsprovider] infoblox: update API client to v2
• [lib,cli] Add delay option for TLSALPN challenge

Changed

• [dnsprovider] designate: speed up API requests by using filters
• [dnsprovider] cloudflare: make base URL configurable
• [dnsprovider] websupport: migrate to API v2
• [dnsprovider] dnssimple: use GetZone

Fixed

• [ari] Fix retry on alreadyReplaced error
• [cli,log] Fix malformed log messages
• [cli] Kill hook when the command is stuck
• [dnsprovider] pdns: fix TXT record cleanup for wildcard domains
• [dnsprovider] allinkl: remove ReturnInfo

v4.22.2

Compare Source

Fixed

• [dnsprovider] acme-dns: use new registred account

v4.22.1

Compare Source

Fixed

• [dnsprovider] acme-dns: continue the process when the CNAME is handled by the storage

Added

v4.22.0

Compare Source

Added

• [cli] Add --private-key flag to set the private key.
• [cli] Add LEGO_DEBUG_ACME_HTTP_CLIENT environment variable to debug the calls to the ACME server.
• [cli] Add LEGO_EMAIL environment variable for specifying email.
• [cli] Add --hook-timeout flag to run and renew commands.
• [dnsprovider] Add DNS provider for myaddr.{tools,dev,io}
• [dnsprovider] Add DNS provider for Spaceship
• [dnsprovider] acme-dns: add HTTP storage
• [lib,cli,httpprovider] Add --http.delay option for HTTP challenge.
• [lib,cli,profiles] Add support for Profiles Extension.
• [lib] Add an option to set CSR email addresses

Changed

• [lib] rewrite status management
• [dnsprovider] docs: improve units and default values

Removed

• [dnsprovider] netcup: remove TTL option

Fixed

• [cli,log] remove extra debug logs

v4.21.0

Compare Source

Added

• [dnsprovider] Add DNS provider for Rainyun/雨云
• [dnsprovider] Add DNS provider for West.cn/西部数码
• [dnsprovider] Add DNS provider for ManageEngine CloudDNS
• [cli] feat: add --force-cert-domains flag to renew

Fixed

• [cli] create client only when needed
• [cli] clone the transport with tls-skip-verify
• [cli] use retryable client for ACME server calls
• [dnsprovider] bunny: fix zone detection
• [dnsprovider] inwx: delete only the TXT record related to the DNS challenge
• [dnsprovider] infomaniak: increase default propagation timeout
• [dnsprovider] dnsmadeeasy: use default transport
• [dnsprovider] netcup: increase default propagation values
• [dnsprovider] otc: use default transport

v4.20.4

Compare Source

Publish the Snap to the Snapcraft stable channel.

v4.20.3

Compare Source

Fixed

• [dnsprovider] technitium: fix status code handling
• [dnsprovider] directadmin: fix timeout configuration
• [httpprovider] fix: HTTP server IPv6 matching

v4.20.2

Compare Source

Added

• [dnsprovider] Add DNS provider for Technitium
• [dnsprovider] Add DNS provider for Regfish
• [dnsprovider] Add DNS provider for Timeweb Cloud
• [dnsprovider] Add DNS provider for Volcano Engine
• [dnsprovider] Add DNS provider for Core-Networks
• [dnsprovider] rfc2136: add support for tsig-keygen generated file
• [cli] Add option to skip the TLS verification of the ACME server
• Add documentation for env var only options

Changed

• [cli,ari] Attempt to check ARI unless explicitly disabled
• [dnsprovider] Improve propagation check error messages
• [dnsprovider] cloudxns: provider deprecation
• [dnsprovider] brandit: provider deprecation

Fixed

• [dnsprovider] regru: update authentication method
• [dnsprovider] selectelv2: fix non-ASCII domain
• [dnsprovider] limacity: fix error message
• [dnsprovider] volcengine: set API information within the default configuration
• [log] Parse printf verbs in log line output

v4.20.1

Compare Source

Cancelled due to CI failure.

v4.20.0

Compare Source

Cancelled due to CI failure.

v4.19.2

Compare Source

Fixed

• [lib] go1.22 compatibility

v4.19.1

Compare Source

Fixed

• [dnsprovider] selectelv2: use baseURL from configuration
• [dnsprovider] epik: add User-Agent

v4.19.0

Compare Source

Added

• [dnsprovider] Add DNS provider for HuaweiCloud
• [dnsprovider] Add DNS provider for SelfHost.(de|eu)
• [lib,cli,dnsprovider] Add dns.propagation-rns option
• [cli,dnsprovider] Add dns.propagation-wait flag
• [lib,dnsprovider] Add PropagationWait function

Changed

• [dnsprovider] ionos: follow CNAME
• [lib,dnsprovider] Reducing the lock strength of the soa cache entry
• [lib,cli,dnsprovider] Deprecation of dns.disable-cp, replaced by dns.propagation-disable-ans.

Fixed

• [dnsprovider] Use UTC instead of GMT when possible
• [dnsprovider] namesilo: restrict CleanUp
• [dnsprovider] godaddy: fix cleanup

v4.18.0

Compare Source

Added

• [dnsprovider] Add DNS provider for mijn.host
• [dnsprovider] Add DNS provider for Lima-City
• [dnsprovider] Add DNS provider for DirectAdmin
• [dnsprovider] Add DNS provider for Mittwald
• [lib,cli] feat: add option to handle the overall request limit
• [lib] feat: expose certificates pool creation

Changed

• [cli] feat: add LEGO_ISSUER_CERT_PATH to run hook
• [dnsprovider] bluecat: skip deploy
• [dnsprovider] ovh: allow to use ovh.conf file
• [dnsprovider] designate: allow manually overwriting DNS zone

Fixed

• [ari] fix: avoid Int63n panic in ShouldRenewAt()

v4.17.4

Compare Source

Fixed

• [dnsprovider] Update dependencies

v4.17.3

Compare Source

Added

• [dnsprovider] Add DNS provider for Selectel v2
• [dnsprovider] route53: adds option to not wait for changes
• [dnsprovider] ovh: add OAuth2 authentication
• [dnsprovider] azuredns: use TenantID also for cli authentication
• [dnsprovider] godaddy: documentation about new API limitations
• [cli] feat: add LEGO_ISSUER_CERT_PATH to hook

Changed

• [dnsprovider] dode: update API URL
• [dnsprovider] exec: stream command output
• [dnsprovider] oracle: update API client
• [dnsprovider] azuredns: servicediscovery for zones
• [dnsprovider] scaleway: add alternative env var names
• [dnsprovider] exoscale: simplify record creation
• [dnsprovider] httpnet: add provider to NewDNSChallengeProviderByName
• [cli] feat: fills LEGO_CERT_PFX_PATH and LEGO_CERT_PEM_PATH only when needed
• [lib,ari] feat: renewal retry after value

Fixed

• [dnsprovider] pdns: reconstruct zone URLs to enable non-root folder API endpoints
• [dnsprovider] alidns: fix link to API documentation

v4.17.2

Compare Source

Canceled due to a release failure related to Snapcraft.

The Snapcraft release are disabled for now.

v4.17.1

Compare Source

Canceled due to a release failure related to oci-go-sdk.

The module github.com/oracle/oci-go-sdk/v65 uses github.com/gofrs/flock but flock doesn't support some platform (like Solaris):

• gofrs/flock#60

Due to that we will remove the Solaris build.

v4.17.0

Compare Source

Canceled due to a release failure related to Snapcraft.

v4.16.1

Compare Source

Fixed

• [cli,ari] fix: don't generate ARI cert ID if ARI is not enable

v4.16.0

Compare Source

Added

• [dnsprovider] Add DNS provider for Shellrent
• [dnsprovider] Add DNS provider for Mail-in-a-Box
• [dnsprovider] Add DNS provider for CPanel and WHM

Changed

• [lib,ari] Implement 'replaces' field in newOrder and draft-ietf-acme-ari-03 CertID changes
• [log] feat: improve errors and logs related to DNS call
• [lib] update to go-jose/go-jose/v4 v4.0.1

Fixed

• [dnsprovider] nifcloud: fix bug in case of same auth zone
• [dnsprovider] bunny: Support delegated subdomains
• [dnsprovider] easydns: fix zone detection
• [dnsprovider] ns1: fix record creation

v4.15.0

Compare Source

Added

• [dnsprovider] Add DNS provider for http.net
• [dnsprovider] Add DNS provider for Webnames

Changed

• [cli] Add environment variable for specifying alternate directory URL
• [cli] Add format option for PFX encoding
• [lib] Support simplified issuance for very long domain names at Let's Encrypt
• [lib] Update CertID format as per draft-ietf-acme-ari-02
• [dnsprovider] azuredns: allow OIDC authentication
• [dnsprovider] azuredns: provide the ability to select authentication methods
• [dnsprovider] efficientip: add insecure skip verify option
• [dnsprovider] gandiv5: add Personal Access Token support
• [dnsprovider] gcloud: support GCE_ZONE_ID to bypass zone list
• [dnsprovider] liquidweb: add LWAPI_ prefix for env vars
• [dnsprovider] liquidweb: detect zone automatically
• [dnsprovider] pdns: optional custom API version
• [dnsprovider] regru: client certificate support
• [dnsprovider] regru: HTTP method changed to POST
• [dnsprovider] scaleway: add cname support

Fixed

• [dnsprovider] cloudru: change default URLs
• [dnsprovider] constellix: follow rate limiting headers
• [dnsprovider] desec: increase default propagation interval
• [dnsprovider] gandiv5: Add "Bearer" prefix to the auth header
• [dnsprovider] inwx: improve sleep calculation
• [dnsprovider] inwx: wait before generating new TOTP TANs
• [dnsprovider] ionos: fix DNS record removal
• [dnsprovider] ipv64: remove unused option
• [dnsprovider] nifcloud: fix API requests
• [dnsprovider] otc: sequential challenge

v4.14.2

Compare Source

Changelog

• a6ddcac Prepare release v4.14.2
• 5ef996e chore: temporary workaround
• 8a7fd67 Detach v4.14.1

v4.14.1

Compare Source

Fixed

• [dnsprovider] bunny: fix zone detection
• [dnsprovider] bunny: use NRDCG fork
• [dnsprovider] ovh: update client to v1.4.2

v4.14.0

Compare Source

Added

• [dnsprovider] Add DNS provider for Yandex 360
• [dnsprovider] Add DNS provider for cloud.ru
• [httpprovider] Adding S3 support for HTTP domain validation

Changed

• [cli] Allow to set EAB kid and hmac via environment variables
• [dnsprovider] Migrate to aws-sdk-go-v2 (lightsail, route53)

Fixed

• [dnsprovider] nearlyfreespeech: fix authentication
• [dnsprovider] pdns: fix notify
• [dnsprovider] route53: avoid unexpected records deletion

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 46 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.19 -> 1.24.0
github.com/gofrs/flock	v0.8.1 -> v0.12.1
github.com/golang/protobuf	v1.5.3 -> v1.5.4
github.com/google/go-cmp	v0.5.9 -> v0.7.0
github.com/stretchr/testify	v1.8.4 -> v1.10.0
golang.org/x/crypto	v0.12.0 -> v0.40.0
golang.org/x/net	v0.14.0 -> v0.42.0
google.golang.org/grpc	v1.57.0 -> v1.73.0
cloud.google.com/go/compute/metadata	v0.2.3 -> v0.7.0
github.com/Azure/azure-sdk-for-go/sdk/azcore	v1.6.0 -> v1.18.1
github.com/Azure/azure-sdk-for-go/sdk/azidentity	v1.3.0 -> v1.10.1
github.com/Azure/azure-sdk-for-go/sdk/internal	v1.3.0 -> v1.11.1
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns	v1.1.0 -> v1.2.0
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns	v1.1.0 -> v1.3.0
github.com/Azure/go-autorest/autorest	v0.11.24 -> v0.11.30
github.com/Azure/go-autorest/autorest/adal	v0.9.18 -> v0.9.22
github.com/Azure/go-autorest/autorest/azure/auth	v0.5.12 -> v0.5.13
github.com/Azure/go-autorest/autorest/azure/cli	v0.4.5 -> v0.4.6
github.com/Azure/go-autorest/autorest/to	v0.4.0 -> v0.4.1
github.com/AzureAD/microsoft-authentication-library-for-go	v1.0.0 -> v1.4.2
github.com/google/uuid	v1.3.0 -> v1.6.0
github.com/googleapis/enterprise-certificate-proxy	v0.2.3 -> v0.3.6
github.com/googleapis/gax-go/v2	v2.7.1 -> v2.14.2
github.com/gophercloud/gophercloud	v1.0.0 -> v1.14.1
github.com/gophercloud/utils	v0.0.0-20210216074907-f6de111f2eae -> v0.0.0-20231010081019-80377eca5d56
github.com/hashicorp/go-retryablehttp	v0.7.4 -> v0.7.8
github.com/iij/doapi	v0.0.0-20190504054126-0bbf12d6d7df -> v0.0.0-20190504054126-0bbf12d6d7df
github.com/linode/linodego	v1.17.2 -> v1.53.0
github.com/liquidweb/liquidweb-go	v1.6.3 -> v1.6.4
github.com/mattn/go-isatty	v0.0.19 -> v0.0.20
github.com/miekg/dns	v1.1.55 -> v1.1.67
github.com/nrdcg/desec	v0.7.0 -> v0.11.0
github.com/nrdcg/freemyip	v0.2.0 -> v0.3.0
github.com/nrdcg/porkbun	v0.2.0 -> v0.4.0
github.com/nzdjb/go-metaname	v1.0.0 -> v1.0.0
github.com/ovh/go-ovh	v1.4.1 -> v1.9.0
github.com/pkg/browser	v0.0.0-20210911075715-681adbf594b8 -> v0.0.0-20240102092130-5ac0b6a4141c
github.com/sacloud/api-client-go	v0.2.8 -> v0.3.2
github.com/sacloud/go-http	v0.1.6 -> v0.1.9
github.com/sacloud/iaas-api-go	v1.11.1 -> v1.16.1
github.com/sacloud/packages-go	v0.0.9 -> v0.0.11
github.com/softlayer/softlayer-go	v1.1.2 -> v1.1.7
github.com/spf13/cast	v1.3.1 -> v1.6.0
github.com/yandex-cloud/go-genproto	v0.0.0-20220805142335-27b56ddae16f -> v0.14.0
go.uber.org/ratelimit	v0.2.0 -> v0.3.1
golang.org/x/mod	v0.11.0 -> v0.25.0
gopkg.in/ns1/ns1-go.v2	v2.7.6 -> v2.14.4